Information Security Strategy Lagging in India

The Global State of Information Security Survey, 2013 by PwC found that 75 percent of respondents in India as opposed to 45 percent of global peers expect their companies to increase spending on information security in 2013, but they’re probably spending it on the wrong things.

The improved economic environment, business continuity, disaster recovery, and regulatory compliance are the main reasons for the increase in spending. Before CIOs spend their budgets, they should know that there are several potential issues with Indian CIO security habits revealed by PwC’s India specific report.

While 45 percent thought they had all the attributes of an information security leader, the report found only 15 percent could say they had all of the following basic requirements for good security: an overall information security strategy; a chief security office (or equivalent); reviews of the effectiveness of information security practices within the past one year; complete knowledge of security events in the past year.

While 80 percent were confident that their organizations had instilled effective security behavior in their work culture, the truth was entirely different. Only 32 percent actually incorporated information security into a project at inception. 29 percent brought it in at the design and analysis phase; 13 percent thought of it only during implementation; and one in six admitted that it was brought in on an as-needed basis. Most of them lacked an incident-response process to report and handle breaches at third-party sites and there was no compliance requirement for third parties regarding privacy policies.

While there was a three-fold increase in reported security breaches -- mostly traced to employees -- the financial losses incurred showed a dip. A closer look has revealed that while a majority of companies count the loss of customer business, many of them neglect to factor in damage to brand and reputation, audit and consulting services, investigation and forensics, legal defense services, and costs of court settlements. So the dip is probably, in fact, a hump.

The most disturbing trend, however, is the decline in the use of basic information security detection technologies and a relaxation of fundamental security principles. Companies have reduced use of malicious code detection tools, tools for spyware, and adware and intrusion detection tools. Use of tools for vulnerability scanning, security event correlation, and data loss prevention have also decreased. Policies defining backup and recovery, business continuity, user administration, application security, physical security, and management practices like segregation of duties have all seen a decline.

Though India is one of the fastest growing mobile technology markets, adoption of security strategies for mobile (46 percent), social media (37 percent), and cloud (31 percent) are lagging. Interestingly, 52 percent of the respondents had a security strategy to address personal devices in the workplace, but only 38 percent had malware protection for mobile devices, indicating a lag between strategy and basic execution.

The report paints a rather bleak picture of current Indian security practices. So it is a good thing that they are spending more. What are the lessons from these findings CIOs can use to make next year’s spending more meaningful? Clearly, CIOs or CISOs should:

Align security strategy to business objective and make it integral to every project at the start.

@geeky: that's quite true. So for the sake of sleeping at night perhaps it's human nature for us to think our systems are more secure than they actuallly are. This, however, can lead to frightening consequences.

In general though, looks like information security strategy isn't that stabilized anywhere even though the US may be doing a little better. With the number of compromises reported each year, there's a lot to be desired in that industry.

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: moderators@enterpriseefficiency.com

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.